Legichain for banks
Onboarding screening, nightly delta re-screening, transaction monitoring and supervisor-grade audit evidence on a single API — sized for the EBA Risk Factors Guidelines and ready for branch operations under MASAK 5549.
Tier-1 and tier-2 banks face a peculiar AML stack problem: three or four legacy vendors, each owning one slice of the workflow, none of them speaking the same data model. The compliance team ends up reconciling alerts across PDFs, the engineering team spends sprints stitching webhooks, and the supervisor still asks for one consolidated audit trail. Legichain replaces that fragmented surface with one API that screens at onboarding, re-runs deltas overnight, monitors transactions in flight, and produces the evidence pack your AML inspector actually wants — without forcing you to abandon your existing core banking system.
What slows a bank's AML programme down
False-positive load on common names
Generic fuzzy matching produces 5-10% positive rates on common Western and Turkish names, burying real hits in noise. A retail bank screening 80,000 onboardings monthly burns 40+ analyst-FTE just clearing repeat noise.
Re-screening the full portfolio nightly
OFAC, EU, UN and OFSI lists update daily. Re-screening 5M customers against the delta on a nightly batch is non-trivial when your vendor charges per call and your batch window is six hours.
Audit evidence the supervisor accepts
EBA Guidelines and most national regulators require 7-year retention of every screening decision: list snapshot, match logic, analyst disposition, PDF. Stitching that across three vendors after the fact is what triggers most enforcement actions.
Data residency for cross-border operations
EU customer data cannot leave the bloc under GDPR Article 44; Turkish branch data falls under KVKK localisation expectations; UK customers need MLR 2017 record retention. SaaS-only vendors fail this requirement in two markets out of three.
How Legichain solves them
Name-gated multiplicative confidence
We score sanctions and PEP matches on multiplicative confidence (name match × DoB × nationality × address corroboration) rather than additive fuzzy distance. In production at tier-2 banks this drops false positives by 85-92% versus legacy fuzzy-match vendors, while keeping recall above 99.7% against OFAC SDN cases.
Delta re-screening with webhook delivery
Every list update produces a delta diff; we re-screen only customers whose risk surface changed. A 5M portfolio finishes nightly delta re-screening in 18 minutes on standard infrastructure. New hits stream to your case management via signed webhook — no batch FTP, no daily file pickup.
Evidence chain built into every call
Every screening call retains the exact list snapshot used, the match logic version, the disposition timestamp, the analyst ID and a regulator-grade PDF. The audit archive is queryable for 7 years on Enterprise plans, and can be pinned to your own AWS S3 bucket or private object storage if you need data residency or extended retention. One JSON export feeds your annual SREP submission.
Bring-your-own storage for sensitive data
Banks with hard data residency obligations point Legichain at their own AWS S3 bucket, private object store or SFTP target as the persistent home for the audit archive, screening payloads and any document scans. The screening engine and list distribution pipeline stay managed on our side; customer-identifying data never persists in Legichain's databases. Writes happen directly from our compute via signed URLs or a cross-account IAM role you control.
What you get out of the box
- Sub-150 ms sanctions and PEP screening at the onboarding form
- Nightly portfolio delta re-screening with webhook alert delivery
- Bank-grade audit archive: every call, every hit, every PDF retained for 7 years
- Bring-your-own storage (AWS S3, private object store) for the audit archive and customer PII
- Built-in EBA, FCA, MASAK and BDDK report export formats
- Pre-formatted STR / SAR output files for direct supervisor submission
Regulatory coverage
Legichain is designed against the actual frameworks our banking customers report under, not retrofitted to them. For EU and UK banks, our defaults map directly to the EBA and FCA expectations. For Turkish branches and subsidiaries, MASAK 5549 obligations are built into the same surface.
EBA Risk Factors Guidelines (Rev. 2023)
Our risk scoring model implements the customer, product, channel and geography risk factors set out in the EBA Guidelines on customer due diligence, with documented thresholds you can adjust for your institution's risk appetite.
AMLD5 / AMLD6 (Dir. EU 2018/843 and 2018/1673)
Beneficial-ownership lookup, enhanced due diligence on high-risk third countries, predicate-offence tagging for SAR production and criminal-liability documentation for institutions and senior managers — all wired into the default workflow.
EBA Remote Onboarding Guidelines (Oct 2023)
Our digital KYC stack (NFC chip authentication, ICAO 9303 document verification, ISO/IEC 30107-3 PAD Level 2 liveness) implements every safeguard the EBA Guidelines require of a fully remote onboarding flow.
MASAK Communiqué + Law No. 5549 (Turkish branches)
For European banks operating Turkish branches or subsidiaries, the same platform produces MASAK-format suspicious transaction reports, supports the 30-day BDDK remote-onboarding retention window and exposes a Turkish-language analyst panel.
Frequently asked questions
How does Legichain compare to legacy sanctions screening vendors on false-positive rate?
In our published benchmark against the OFAC SDN list with 100,000 real onboarding records from a tier-2 European bank, legacy fuzzy-match vendors produced 4.6-7.8% positive rates depending on configuration. Legichain, with name-gated multiplicative confidence, produced 0.4-0.9% on the same dataset while maintaining recall above 99.7% against seeded sanctioned individuals. The difference compounds: a bank doing 80,000 monthly onboardings sees roughly 5,500 fewer manual reviews per month. We publish the methodology and welcome a parallel run against your own historical data.
Can we keep customer data in our own environment for data residency reasons?
Yes — through a bring-your-own-storage model, not a full lift-and-shift. The screening engine, match-grouping logic and list distribution pipeline stay managed by Legichain. What changes is the data store: the audit archive, screening payloads and any document scans are written directly to your AWS S3 bucket, private object store or SFTP target via signed URLs or a cross-account IAM role you control. Customer-identifying data never persists in Legichain's databases. Two of our tier-1 European banking customers run this pattern under hard GDPR Article 44 constraints.
How does Legichain handle the EBA Remote Onboarding Guidelines from October 2023?
The EBA Guidelines require remote onboarding flows to implement compensating controls equivalent to face-to-face identification — typically NFC chip authentication, ICAO 9303 document verification, ISO/IEC 30107-3 PAD Level 2 liveness detection and a documented risk-based step-up. Our digital KYC stack ships with all four enabled by default. We provide a control-mapping document that your compliance team can submit to the national competent authority as part of the remote-onboarding policy filing.
What about Turkish branches subject to MASAK 5549?
European banks with Turkish branches or subsidiaries face dual reporting: EBA-mapped controls for the home regulator and MASAK 5549 obligations for Turkish operations. Legichain runs both off the same screening engine. MASAK suspicious transaction reports are produced in the official format, the analyst panel ships in Turkish, and the BDDK remote-onboarding requirements (NFC plus video for higher-risk customer segments) are wired into the same SDK used in EU jurisdictions.
What is the typical implementation timeline for a tier-2 bank?
From signed contract to first production traffic, our typical tier-2 bank implementation runs 10-14 weeks. The first 3-4 weeks are configuration: ingesting your existing risk-rule library, mapping our risk taxonomy to yours, setting up the audit-archive export to your internal data lake. Weeks 5-8 are parallel run against your incumbent vendor. Weeks 9-12 are progressive traffic migration starting at 1% and ramping to 100%. The transaction-monitoring side can be added separately on its own 8-week track if you want it.
Related reading
Pillar guide to the AML screening surface: sanctions, PEP, adverse media, watchlists, methodology and vendor selection criteria.
Architecture-level walkthrough of how a tier-1 or tier-2 bank should design its AML screening pipeline, with a worked use case.
The Turkish BDDK remote-onboarding regulation explained for European banks with Turkish branches or subsidiaries.
Obligations, reporting workflows and practical guidance under MASAK and Law No. 5549 — written for institutions new to Turkish AML.
Be screen-ready in an afternoon.
Spin up a free workspace, paste your first API key into a curl, ship a verified onboarding flow before your next stand-up.